The trend among nations is to increase their offensive cyber security capabilities yet there remains inadequate deterrence effects and a lack of security resources to combat cyber threats, the head of the cyber security company FireEye [FEYE] says in a new report by the company that makes predictions for security in 2019.

“In my travels, I have the privilege of meeting with government officials from around the globe, and in nearly every conversation I inevitably get the same question within the first 10 minutes,” Mandia says in a section he wrote for the report released on Thursday. “Whether it be in the Middle East, Europe, Asia or North America, they ask how they can develop and offensive capability for their own nation.”

Kevin Mandia, CEO of FireEye. Photo: FireEye
Kevin Mandia, CEO of FireEye. Photo: FireEye

More countries will develop offensive cyber capabilities in 2019 and beyond, because without them, they believe they are at a “disadvantage” Mandia says.

And more aggressive attacks are on the rise, he says, pointing to threat actors from Russia as an example. Norms of behavior are deteriorating, leading to uncertainty among nation-states about what is basically acceptable and what isn’t in cyber space.

The increasing number of attacks and breaches is due to the lack of effective deterrents, Mandia says.

“Unfortunately, the attacks that lead to breaches do not appear to be slowing down,” he says. “One reason why is that there are still no risks or repercussions for those who are conducting the breaches. The attackers are not waking up fearful that they are going to get arrested for stealing email or extorting someone for a certain amount of cryptocurrency. Without a deterrent, attackers are going to keep targeting networks and getting through.”

Grant Schneider, the U.S. government’s federal chief information security officer and the senior cyber security policy adviser on the National Security Council, said at an event on Thursday that the Trump administration is taking cyber deterrence seriously. Schneider, like officials in the former Obama administration, said that the U.S. has a wide array of means it is applying to deter cyber hacks and attacks, including sanctions, indictments that limit the ability of foreign actors to travel and impede their careers, arrests, and other tools that aren’t publicly visible.

Schneider, in a brief gaggle with reporters after he gave the morning keynote presentation at the CyberSat18 conference hosted by Via Satellite magazine, said he believes the Trump administration is applying more cyber deterrence tools than the Obama administration, although he acknowledged that he hasn’t seen an analysis that quantifies his assessment.

When it comes to resources for combatting cyber threats, Mandia says large companies have the resources to build “a mature security program,” noting “they still get breached.” But, he says, small and medium-sized companies don’t have the same resources and can’t build the same level of security, which presents potential problems for everyone.

“The ‘smalls’ are the softer targets, and they comprise the supply chains for the larger organizations,” he says. “If these softer ‘smalls’ end up getting compromised, the supply chain will be compromised, and that results in a backdoor into the larger enterprises with the mature security programs.”

Howard Marshall, director of Cyber Threat Intelligence at Accenture [ACN], who was part of a panel at CyberSat18 on the evolving threat landscape, echoed Mandia’s concerns about the supply chain. He said the further down the value chain of suppliers, cyber security is less of a concern for company leaders, even if their chief information security officer is saying more needs to be done.

Marshall, a former FBI official who dealt with cyber issues when he was with the bureau, said the CISO’s loved the training and information they received from the FBI but said they couldn’t “move that needle” inside their companies when it comes to cyber security needs.